Exorcist Ransomware Campaign

Resumen de la Campana

Ransomware attack group Exorcist launched an aggressive campaign targeting critical infrastructure and enterprise networks between April 20-30, 2026. The group deployed multiple ransomware variants including Exorcist.Ransom (v1.9.5) and Exorcist.Metering, along with payload libraries for lateral movement.

Objetivos

• Exfiltration of critical infrastructure data: Industrial control systems (ICS), power grid databases, energy distribution networks, and transportation protocols.
• Data theft via C2 server at exorcist-c2.mil for encryption and laundering.
• Ransom demand through paid decryption services:
  • $150,000 - $300,000 per host in USD (approx. $400-650 per user)

Tacticas

1. Hunting for Exorcist Payloads: Attackers used Exploit-DB signatures to identify Exorcist.Ransom and Exorcist.Metering variants.
2. Lateral Movement via Metasploit: Use of MSF v4.17.0+ with RCE payloads for network traversal.
3. Distributed Denial-of-Service (DDoS): Attackers used Nginx DDoS infrastructure to disrupt critical operations.
4. Data Exfiltration: Mass transfer of industrial and operational data via encrypted channels.
5. Ransom Demand Distribution: Payment links distributed via email, social media, and technical forums.

Indicadores de Compromiso (IOCs)

Impacto

The Exorcist campaign resulted in significant data breaches affecting critical infrastructure and enterprise organizations. Attackers targeted industrial control systems which are essential for modern manufacturing, energy distribution, and transportation networks.

Technical analysis revealed multiple attack vectors including payload libraries that allowed attackers to bypass detection methods by using legitimate software versions with modified signatures.